17:12 <jdstrand> #startmeeting 17:12 <meetingology> Meeting started Mon Jan 12 17:12:45 2015 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 17:12 <meetingology> 17:12 <meetingology> Available commands: action commands idea info link nick 17:12 <jdstrand> The meeting agenda can be found at: 17:12 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 17:12 <jdstrand> [TOPIC] Announcements 17:13 <jdstrand> Lev Lazinskiy (levlaz) provided a debdiff for precise for nginx (LP: #1370478). Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 17:13 <ubottu> Launchpad bug 1370478 in nginx (Ubuntu Utopic) "[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"" [Undecided,Fix released] https://launchpad.net/bugs/1370478 17:13 <jdstrand> [TOPIC] Weekly stand-up report 17:13 <jdstrand> I'll go first 17:13 <jdstrand> I'm on triage this week 17:13 <chrisccoulson> hi 17:13 <jdstrand> I have some stuff to look at regarding snappy for this week 17:13 <jdstrand> and need to get to my pending updates 17:14 <jdstrand> mdeslaur: you're up 17:14 <mdeslaur> I'm on community this week 17:14 <mdeslaur> I'm currently testing openssl which should go out in a few minutes 17:14 <mdeslaur> I also have an embargoed issue to look at 17:14 <mdeslaur> and have a bunch of other pending CVE updates I'm working on 17:14 <mdeslaur> that's it for me, sbeattie 17:15 * mdeslaur pokes sbeattie with stick 17:16 <jdstrand> perhaps go to tyhicks and circle back around to sbeattie? 17:17 <tyhicks> I'm currently working on git updates 17:17 <tyhicks> the precise backport was failing the in-tree tests but I think I've just identified the problem so they should be going out today or tomorrow 17:17 <tyhicks> then I plan on helping out wherever possible with bug #1408106 17:17 <ubottu> bug 1408106 in AppArmor "attach_disconnected not sufficient for overlayfs" [Critical,In progress] https://launchpad.net/bugs/1408106 17:18 <jdstrand> tyhicks: where are we on that dbus apparmor bug? 17:18 <tyhicks> jdstrand: that's next on my list :) 17:18 <jdstrand> ah ok 17:19 <tyhicks> jdstrand: I haven't been able to look at it in some time 17:19 <tyhicks> but I expect to spend most of my time this week on bug #1362469 17:19 <ubottu> bug 1362469 in dbus (Ubuntu) "AppArmor unrequested reply protection generates unallowable denials" [Medium,In progress] https://launchpad.net/bugs/1362469 17:19 <tyhicks> that's it for me 17:19 * sbeattie is here 17:19 <jdstrand> not meaning to rush or reprioritize it. it came up in a meeting today that we'll likely be looking at moving rtm branch to vivid in the coming couple/few months 17:20 <jdstrand> tyhicks: ^ 17:20 <tyhicks> jdstrand: yep, I need to get it fixed and then post the latest set of revisions to the upstream dbus bug 17:20 <jdstrand> cool, thanks 17:20 <tyhicks> so there are two good reasons to get it fixed asap 17:20 <tyhicks> go ahead, sbeattie 17:20 <jdstrand> (that's it from me-- sbeattie and then jjohansen?) 17:20 <sbeattie> I have a set of yaml updates to go out later today. 17:21 <sbeattie> I have some upstream apparmor patches to review 17:21 <sbeattie> I need to get the pie stuff back on the front burner 17:21 <sbeattie> I'll also probably pick up the binutils update to work on in the background 17:22 <sbeattie> Sorry, I'm also expecting to work on bug 1408106 as needed as well. 17:22 <ubottu> bug 1408106 in AppArmor "attach_disconnected not sufficient for overlayfs" [Critical,In progress] https://launchpad.net/bugs/1408106 17:22 <sbeattie> that's it for me, jjohansen? 17:22 <jjohansen> There are a couple of things to prep for the monthly apparmor meeting, some outstanding apparmor patches to finish reviewing, finish up the work on Bug #1408833, some work with tyhicks on the interaction of overlayfs and apparmor (as mentioned already Bug #1408106), and of course continuing the apparmor upstreaming work. 17:22 <ubottu> bug 1408833 in AppArmor "broken postinst test for uvtool-libvirt on utopic" [Undecided,Confirmed] https://launchpad.net/bugs/1408833 17:24 <jjohansen> thats it for me, sarnold 17:25 <sarnold> I'm in the happy place this week; I'm working on an update to coreutils, and there are five packages needing MIR auditing -- I probably can't get to all of them this week unless several of them are smaller than I expect 17:25 <sarnold> thanks to those filing early MIR requests :) much appreciated 17:26 <sarnold> that's it for me, chrisccoulson 17:26 <jdstrand> sarnold: fyi, I assigned one more to you today 17:26 <chrisccoulson> it's mozilla updates for me this week 17:26 <jdstrand> oh, I didn't try the new firefox yet 17:27 <chrisccoulson> I'm fixing a build failure (armhf) at the moment 17:27 <tyhicks> I thought chrisccoulson wanted us to do that tomorrow 17:27 <jdstrand> I thought by tomorrow 17:27 <tyhicks> ah 17:27 <chrisccoulson> other than mozilla updates, I'm working on bug 1377198 which fixes some weird behaviour in an API that the browser is using 17:27 <sbeattie> chrisccoulson: I'm running the new firefox, not seeing issues. 17:28 <ubottu> bug 1377198 in Oxide "CertificateError is not cancelled if you stop the pending navigation" [High,Triaged] https://launchpad.net/bugs/1377198 17:28 <chrisccoulson> excellent, thanks 17:28 <chrisccoulson> I think that's me done 17:29 <jdstrand> [TOPIC] Highlighted packages 17:30 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:30 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gcc-4.9-powerpc-cross.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ldap-account-manager.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/bfgminer.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ganeti.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rawstudio.html 17:30 <jdstrand> [TOPIC] Miscellaneous and Questions 17:30 <jdstrand> Does anyone have any other questions or items to discuss? 17:31 <tyhicks> I've got one for jjohansen, sarnold, and sbeattie regarding the libapparmor patches waiting for review 17:31 <tyhicks> how can I help the review process there? 17:31 <jjohansen> tyhicks: can you please provide 48h to my day 17:31 <tyhicks> would it help if I wrote up a man page for the new functions? 17:32 <tyhicks> jjohansen: :) 17:32 <jjohansen> tyhicks: no, its just spending the time to give them a proper review 17:32 <tyhicks> I need to write a man page before release, anyways, so it might help show the "bigger picture" during review 17:33 <tyhicks> jjohansen: ack - I figured that was the bottleneck but wanted to make sure there was nothing else I could do 17:33 <jjohansen> tyhicks: I would suggest holding off on that, I already have nacks on some of it 17:33 <tyhicks> ok 17:33 <sarnold> tyhicks: sorry, I was daunted by just how many patches are still outstanding.. 17:33 <tyhicks> (please send out nacks asap so I can start on new revisions) 17:34 <tyhicks> jdstrand: that's all that I had 17:34 <jjohansen> sarnold: he was just trying to make sure you would have your fill over the christmas break 17:34 <jjohansen> tyhicks: ack 17:35 <sarnold> jjohansen: no fear there, it was an impressive patch dump :) 17:36 <jjohansen> sure, now /me has to give sarnold an even bigger patch dump to keep him happy 17:36 <sarnold> :) 17:38 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, chrisccoulson: thanks! 17:38 <jdstrand> #endmeeting